[Cryptography] NSA voting on TLS encryption at the IETF TLS WG

Andrew Lee andrew at joseon.com
Thu Jul 2 20:06:31 EDT 2026


I think your read is accurate, but I hope others chime in as well.

On Jul 2, 2026, at 3:40 PM, D. Hugh Redelmeier <hugh at mimosa.com> wrote:
> - the extra cost of ECC is minor (how minor?)

~100 us [1] on an old CPU and 32 bytes [2].

Best,
Andrew

[1] Nothing compared to network latency.

[2] Test here for illustrative purposes and not proper implementation (Go):

package main

import (
	"crypto/ecdh"
	"crypto/hkdf"
	"crypto/rand"
	"crypto/sha256"
	"fmt"
	"time"

	"filippo.io/mlkem768"
)

const iterations = 10000

func solo() {
	dk, _ := mlkem768.GenerateKey()
	ct, _, _ := mlkem768.Encapsulate(dk.EncapsulationKey())
	mlkem768.Decapsulate(dk, ct)
}

func x25519() []byte {
	c := ecdh.X25519()
	a, _ := c.GenerateKey(rand.Reader)
	b, _ := c.GenerateKey(rand.Reader)
	ss, _ := a.ECDH(b.PublicKey())
	return ss
}

func hybrid() {
	dk, _ := mlkem768.GenerateKey()
	ct, ssKEM, _ := mlkem768.Encapsulate(dk.EncapsulationKey())
	mlkem768.Decapsulate(dk, ct)
	hkdf.Key(sha256.New, append(ssKEM, x25519()...), nil, "tls13 hybrid", 32)
}

func avg(fn func(), n int) time.Duration {
	start := time.Now()
	for i := 0; i < n; i++ {
		fn()
	}
	return time.Since(start) / time.Duration(n)
}

func main() {
	for i := 0; i < 500; i++ {
		solo()
		hybrid()
	}
	fmt.Printf("ML-KEM+X25519 cost: %v\n", avg(hybrid, iterations)-avg(solo, iterations))
}

Best,
Andrew



More information about the cryptography mailing list